dawarich/app/controllers/users/omniauth_callbacks_controller.rb

# frozen_string_literal: true

class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
  def github
    handle_auth('GitHub')
  end

  def google_oauth2
    handle_auth('Google')
  end

  def openid_connect
    handle_auth('OpenID Connect')
  end

  def failure
    error_type = request.env['omniauth.error.type']
    error = request.env['omniauth.error']

    # Provide user-friendly error messages
    error_message =
      case error_type
      when :invalid_credentials
        'Invalid credentials. Please check your username and password.'
      when :timeout
        'Connection timeout. Please try again.'
      when :csrf_detected
        'Security error detected. Please try again.'
      else
        if error&.message&.include?('Discovery')
          'Unable to connect to authentication provider. Please contact your administrator.'
        elsif error&.message&.include?('Issuer mismatch')
          'Authentication provider configuration error. Please contact your administrator.'
        else
          "Authentication failed: #{params[:message] || error&.message || 'Unknown error'}"
        end
      end

    redirect_to root_path, alert: error_message
  end

  private

  def handle_auth(provider)
    @user = User.from_omniauth(request.env['omniauth.auth'])

    if @user&.persisted?
      flash[:notice] = I18n.t 'devise.omniauth_callbacks.success', kind: provider
      sign_in_and_redirect @user, event: :authentication
    elsif @user.nil?
      # User creation was rejected (e.g., OIDC auto-register disabled)
      error_message = if provider == 'OpenID Connect' && !oidc_auto_register_enabled?
                        'Your account must be created by an administrator before you can sign in with OIDC. ' \
                        'Please contact your administrator.'
                      else
                        'Unable to create your account. Please try again or contact support.'
                      end
      redirect_to root_path, alert: error_message
    else
      redirect_to new_user_registration_url, alert: @user.errors.full_messages.join("\n")
    end
  end

  def oidc_auto_register_enabled?
    env_value = ENV['OIDC_AUTO_REGISTER']
    return true if env_value.nil?

    ActiveModel::Type::Boolean.new.cast(env_value)
  end
end